Prerequisites Checklist
-
Tenable.ad works with Windows Server 2016 with the latest available update.
-
Tenable.ad installation program requires Local Administrator rights on Windows Server 2016. If the account used for the installation is the default account, ensure that this account can run programs without restrictions.
-
Tenable Identity Exposure services require Local Administrator rights to run local services on the machine.
-
Tenable Identity Exposure requires a dedicated data partition. Do not run Tenable.ad on the OS partition to prevent system freeze if the partition is full.
-
Tenable Identity Exposure SQL instance requires the virtual accounts usage feature.
-
Tenable Identity Exposure must run as a black box. Dedicate each machine to Tenable Identity Exposure and do not share it with another product.
-
Tenable.ad can create any folder starting with the ‘Alsid’ or ‘Tenable’ prefix on the data partition. Therefore, do not create folders starting with "Alsid" nor "‘Tenable" on the data partition.
-
Erlang: Do not modify the HOMEDRIVE environment variable. The PATHEXT environment variable must contain the .exe and .bat file extensions.
-
If you must set the AD service account of Tenable Identity Exposure as a Protected Users group member, ensure your Tenable Identity Exposure configuration supports Kerberos authentication, because Protected Users cannot use NTLM authentication.
This table resumes the prerequisites in a handy checklist before installation.
Information or Resource to Reserve |
Status |
---|---|
The required agreements (NDA, Evaluation Software License), if applicable |
|
The choice of architecture (centralized or distributed) |
|
The number of active AD users in the targeted domains to monitor |
|
The computing and memory resources based on Tenable Identity Exposure’s sizing matrix. |
|
The private IP of each virtual machine used to deploy Tenable’s platform |
|
The type and IP address of the update management infrastructure |
|
The type and IP address of the time server |
|
The type and IP address of the PKI server |
|
The type and IP address of the identity provider |
|
Open required network flows for each service that Tenable Identity Exposure requires. |
|
The private IP addresses of each Primary Domain Controller emulator |
|
Creation of a regular user account on each Active Directory forest to monitor. |
|
On the specific Active Directory containers, grant access right to the Tenable service account. |
|
Grant access for Privileged Analysis if you want to enable this feature. | |
The AD domain user account login:
|
|
A TLS certificate issued for Tenable Identity Exposure’s Web Portal issued from the customer’s PKI
|
|
The list of Tenable Identity Exposure user accounts to create:
|
|
The list of optional configurations to activate (email notification, Syslog event forwarding, etc.) |
|
An identified and available project coordinator to work with Tenable. |
|
Technical staff to respond to potential technical issues such as network filtering issue and unreachable PDCe. |